CHIME, AHA skeptical of disclosures rule
October 24, 2013 in Medical Technology
As patients get more access to their digitized personal health information, there are new challenges for providers — such as the need to tell patients how their data is being used, and to whom it’s being disclosed.
In tandem with the HHS Office for Civil Rights’ plans to finalize rules for accounting of disclosures as part of the HITECH Act, the Privacy and Security Tiger Team, a part of the Office of the National Coordinator’s Health IT Policy Committee, is taking a survey of the current landscape and crafting recommendations based on stakeholder input.
So far, there are some diverging views on the proposed rule, released in 2011, which would require providers to give patients a report detailing all internal access to their digital records as well as disclosures.
The American Hospital Association wrote that “the centerpiece” of the rule — a list of all access to patient records and an accounting of its use — “is misguided because it does not appropriately balance the relevant privacy interests of individuals with the substantial burdens on covered entities, including hospitals.”
The AHA is asking HHS to clarify designated record sets and adopt proposed exclusions, including data on child and adult abuse, neglect or domestic violence, most research and oversight of population health trends. The AHA is also asking that the accounting mandate be limited to information no more than three years old — something HHS is on board with. The proposed rule would revise a previous HIPAA provision and decrease the disclosure accounting window from six to three years.
The Confidentiality Coalition, a broad group of hospitals, teaching colleges, health plans, pharmaceutical companies, and electronic health records companies, largely echoed the AHA, but is even more skeptical of the need for rigorous disclosure rules, citing the potential for overburdening covered entities and an incentive to look for information for “frivolous lawsuits.”
“In general, we see little appropriate patient privacy interest in the details of these disclosures beyond information that already is received by patients or that can be accomplished through other existing means,” the coalition wrote in comments to the Tiger Team.
They’re suggesting that the new rule “should only be applied to disclosures that are ‘through’ an electronic health record.”
The College of Health Information Management Executives (CHIME) is concerned about variation in disclosure accounting and access reports. “Of chief concern to many CIOs is that all audit logs are not created equal. Despite having common data elements recorded across different solutions, there are few, if any, standard ways to generate reports,” CHIME wrote to the Tiger Team.